Applies To:

Show Versions Show Versions

Archived Manual Chapter: Access Policy Example
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

The example access policy covered in this appendix is based on real-world use. You can find a description of the how-to scenario at the beginning of the section.
You can check your progress against screenshots provided at a number of steps. The intention is to keep you on track without overburdening you with screenshots.
When you complete the steps, you will have a working version of the functionality the scenario covers. All information you need to deploy the working model is provided, including any hints, best practices, requirements, or warnings.
In this example, you design an access policy that assigns different network access resources to a user, depending on the Microsoft Active Directory® primary group ID. This case study is built with a modified version of the AD Auth Query and Resources macro.
To configure this example, you should have a configured Active Directory AAA server on your system. However, you can configure the entire example without actually configuring an Active Directory server.
Two lease pools (192.168.105.1 - 192.168.105.100 and 192.168.106.100 - 192.168.106.111).
An Active Directory auth and query macro, for which you must configure actions, and to which you must add terminals.
Two Active Directory query actions. One Active Directory query checks for the primary group ID attribute with a value of 100, and one checks for the primary group ID attribute with a value of 200.
1.
On the Main tab of the navigation pane, expand Access Control, and click ACLs.
The ACLs screen opens.
2.
Click the Create button.
The New ACL screen opens.
3.
In the Name box, type the name AD_ACL1.
4.
Click the Create button.
The ACL Properties screen opens.
5.
Above the Access Control Entries list, click the Add button.
The New Access Control Entry screen opens.
6.
From the Action list, select Allow.
7.
Click Finished.
Because you did not type any IP addresses or ports, but only selected an action, this ACL is configured as a default ACL, which means this action (Allow) is applied to all connections, on all IP addresses, and all protocols.
9.
Click the Create button.
The New ACL screen opens.
10.
In the Name box, type the name AD_ACL2.
11.
Click the Create button.
The ACL Properties screen opens.
12.
Above the Access Control Entries list, click the Add button.
The New Access Control Entry screen opens.
13.
14.
From the Action list, select Reject.
15.
Click Finished.
Again, because you did not type any IP addresses, but only selected an action and a protocol, this ACL rejects all connections on any IP address that attempt to use port 21, the typical FTP port.
1.
On the Main tab of the navigation pane, expand Access Control, and click Lease Pools.
The Lease Pool List screen opens.
2.
Click the Create button.
The New Lease Pool screen opens.
3.
In the Name box, type the name AD_Lease1.
4.
Click the button IP Address Range.
5.
In the Start IP Address box and the End IP Address box, type the start and end IP addresses for the IP address range. In this example, the start IP address is 192.168.105.1, and the end IP address is 192.168.105.100.
6.
Click the Add button to add the IP addresses to the lease pool.
The lease pool appears as in the Figure B.1.
7.
Click the Repeat button.
The New Lease Pool screen opens.
8.
In the Name box, type the name AD_Lease2.
9.
In the Member List select the existing entry (192.168.105.1 - 192.168.105.100) and click Delete.
10.
In the Start IP Address box and the End IP Address box, type the start and end IP addresses for the IP address range. In this example, the start IP address is 192.168.106.100, and the end IP address is 192.168.106.111.
11.
Click the Add button to add the IP addresses to the lease pool.
12.
Click Finished.
Figure B.1 Lease pool example
In this task, you configure the network access resources and the resource groups for the case study. Each network access resource contains one ACL and one lease pool. Each resource group contains one network access resource.
1.
On the Main tab of the navigation pane, expand Secure Connectivity and click Network Access.
The Network Access screen opens.
2.
Click the Create button to create a new network access resource.
The New Resource screen opens.
3.
In the Name box, type CaseStudy_NA_AD1 as the name for the network access resource.
6.
Click Finished.
The Properties screen for the network access resource opens.
7.
On the Main tab of the navigation pane, under Secure Connectivity, click Network Access again.
The Network Access screen opens.
8.
Click the Create button to create a new network access resource.
The New Resource screen opens.
9.
In the Name box, type CaseStudy_NA_AD2 as the name for the network access resource.
12.
Click Finished.
1.
On the Main tab of the navigation pane, expand Secure Connectivity and click Resource Groups.
The Resource Groups screen opens.
2.
Click the Create button to create a new Resource Group.
The New Resource screen opens.
3.
In the Name box, type CaseStudy_1 as the name for the resource group.
4.
In the Manage Resources area of the screen, select CaseStudy_NA_AD1 in the Available list, and click the Move button (<<) to move it to the Active list.
5.
Click Finished.
The Resource Groups screen opens.
6.
Click the Create button to create a new Resource Group.
The New Resource screen opens.
7.
In the Name box, type CaseStudy_2 as the name for the resource group.
8.
In the Manage Resources area of the screen, select CaseStudy_NA_AD2 in the Available list, and click the Move button (<<) to move it to the Active list.
9.
Click Finished.
In this task, you create an access profile, and configure the access policy associated with it. The access policy contains the configuration that the user steps through when he attempts to connect.
1.
On the Main tab of the navigation pane, expand Access Control and click Access Profiles.
The Access Profiles screen opens.
2.
Click the Create button to create a new access profile.
The New Profile screen opens.
3.
In the Name box, type CaseStudy_AD as the name for the access profile.
4.
Click Finished.
1.
On the CaseStudy_AD access profile screen, click the Access Policy tab.
The Access Policy screen opens.
2.
Click the link Edit Access Policy for Profile "CaseStudy_AD".
The visual policy editor opens in a new tab or a new window, depending on your browser settings.
3.
Click the Add New Macro button.
The Macro Template popup screen appears.
4.
From the macro template list, select AD auth query and resources.
5.
Click Save.
1.
In the visual policy editor, click the plus sign () next to the AD auth query and resources macro to expand the macro.
2.
On the Fallback rule branch connected to the AD Query action, click the plus sign ().
The Add Item popup screen opens.
3.
If the list of authentication actions is not expanded, click the plus sign () next to Authentication to expand the list.
4.
Select AD and click Add Item.
The Active Directory action popup screen opens.
5.
In the Name box, type AD Query 2.
6.
Click the Rules tab.
7.
Click the delete (x) button next to Expression: Active Directory Auth has passed to delete the existing rule.
8.
Click the Add Rule button.
The popup screen changes to show a new empty rule line.
9.
In the Name box, type Primary Group ID is 200.
10.
Next to the text Expression: Empty, click change.
The Expression popup screen opens.
11.
On the Simple tab, click the Add Expression button.
The screen changes to show expression options.
12.
From the Agent Sel. list, select AD Query.
13.
From the Condition list, select Users Primary Group ID.
14.
In the User's Primary Group ID is box, type 200.
15.
Click the Add Expression button.
16.
Click Finished.
17.
Click Save.
1.
In the visual policy editor, click the plus sign () next to the AD auth query and resources macro to expand the macro.
2.
On the Primary Group ID is 100 rule branch connected to the AD Query action, click the Resource Assign action.
The Resource Assign action popup screen opens.
3.
Click the Add new entry button.
The screen changes to display a new resource assignment entry.
5.
Click the Save button.
The Resource Assign action popup screen closes.
6.
In the macro, on the Primary Group ID is 200 rule branch connected to the AD Query 2 action, click the plus sign ().
The Add Item popup screen opens.
7.
If the list of general purpose actions is not expanded, click the plus sign () next to General Purpose to expand the list.
8.
Select Resource Assign and click Add Item.
The Resource Assign action popup screen appears.
9.
In the Name box, type Resource Assign 2.
10.
Click the Add new entry button.
12.
Click the Save button.
The Resource Assign action popup screen closes.
1.
In the visual policy editor, next to the Macro: AD auth query and resources name, click the Edit Terminals button.
The Edit Terminals popup screen opens.
2.
In the Name box for the Successful terminal, replace the name Successful with the name Group100.
3.
Click the Add Terminal button.
The popup screen changes to display a new terminal line.
4.
In the Name box for the new terminal, replace the name Terminal 1 with the name Group200.
6.
Select the blue color #5 to change the color of the terminal, and click Update.
Note that you can choose any color for this terminal.
7.
Click Save.
8.
In the macro configuration, click the Failure terminal connected to the Resource Assign 2 action.
The Select Terminal popup screen opens.
9.
Select the Group200 terminal, and click Save.
The configured macro appears as in the following figure.
1.
In the access policy CaseStudy_AD, above the macro that you have configured, click the plus sign () on the Fallback branch.
The Add Item popup screen opens.
3.
Select the macrocall AD auth query and resources Rules: Group200, Group100, Failure, and click Add Item.
4.
On the Group200 access policy branch, click the Logon Denied ending.
The Select Ending popup screen opens.
5.
Select the Webtop ending, and click Save.
6.
On the Group100 access policy branch, click the Logon Denied ending.
The Select Ending popup screen opens.
7.
Select the Webtop ending, and click Save.
8.
Click Activate Access Policy.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)